You entirely right Chris. The onus is on us. I'll get this fixed up tomorrow. Sorry to anyone who lost time on this bug!
On Mon, Oct 27, 2008 at 7:10 PM, Chris Thompson <[EMAIL PROTECTED]> wrote: > I am the developer of Net::Twitter. > > Or, at least, I was before I handed it off because I grew tired of trying to > keep up with the foibles of the API. But, since the new guy hasn't released > anything, my name is still on the most recent version. So I get emails from > people, and questions on irc.perl.org about this. > > The problem in this case lies squarely on Twitter's side. > > Alex says: > >>Are you quite sure that you're making the request authenticated? It >>will return a 404 if it can't authenticate you, because that URL >>doesn't specify a user ID to retrieve a timeline for and thus assumes >>that you want the timeline for the requesting user. > > This is not how HTTP Auth works. > > The correct handshake for a URL that needs Auth is: > > 1) I request, with no WWW-Authenticate: header > 2) Server responds with a 401: Unauthorized and a WWW-Authenticate header > containing the realm > 3) I re-request with the WWW-Authenticate header containing user/pass > 4) Server decides that auth header is good, responds with a 200, or decides > it's bad and goes back to #2 > > Net::Twitter uses perl's libwww (LWP) which, in turn, implements the HTTP > protocol to spec. It doesn't send the WWW-Authenticate header until it sees > a 401. This is a specific part of HTTP as defined in RFC2617. > > If you think about it in terms of a browser like firefox, the browser CAN'T > send an auth header until it is told it needs one, and it puts up an auth > popup with the Realm listed that it got from the 401. > > LWP is doing the right thing, Twitter simply isn't asking for the auth. > > If you use curl or wget from the command line to hit the user_timeline url, > it works. The reason for this is, you specify user and pass on the command > line and both curl or wget just jam the WWW-Authenticate header in there > whether it ever gets asked for it or not, violating RFC. > > Same with Matt Sanford's perl using authorization_basic. This is not part of > LWP::UserAgent, but part of HTTP::Headers and what it does is force the > WWW-Authorize header into the request, always-on, just like curl and wget, > and yet again violating the RFC. > > LWP is only "being finicky" if by finicky you mean "Implementing RFC2617 as > written". > > I hate to be a pest on this, but the credentials code in Net::Twitter hasn't > changed at all since Net::Twitter 1.0.0 way back in March of 2007. You guys > are doing the right thing everywhere except user_timeline. If you had it > throw the 401 first, you'd get the auth. 404's just flat wrong here. > > -- > ------------------------ > Chris Thompson > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
